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METHOD AND SYSTEM FOR 
DYNAMICALLY DISTRIBUTING UPDATES 
IN A NETWORK 

TECHNICAL FIELD OF THE INVENTION ^ 

This invenlion relates generally to computer networking, 
and more particularly to a method and system for dynami- 
cally distributing updates in a network. 

BACKGROUND OF THE INVENllON ^° 

Computer networks have become an increasingly impor- 
tant means for communicating public and private informa- 
tion between and within distributed locations. The Internet is 
one example of a public network commonly used for com- 
municating public and private information. Internet web 
servers provide access to public information, such as news, 
business information, and government information, which 
the Internet makes readily available around the world. The 
Internet is also becoming a popular forum for business 20 
transactions, including securities transactions and sales of 
goods and services. A large number of people have come to 
depend upon reliable Internet access and secure communi- 
cations on a day-by-day and even second-by-second basis. 
Like the Internet, private networks also have become com- 25 
mon means for communicating important information. Pri- 
vate networks, such as company intranets, local area net- 
works (LANs), and wide area networks (WANs) generally 
limit access on a user-by-user basis and communicate data 
over dedicated lines or by controlling access through 
passwords, encryption, or other security measures. 

One danger to reliable and secure network commimica- 
tions is posed by hackers or other unauthorized users dis- 
rupting or interfering with network resources. The danger 
posed by unauthorized access to computer network 35 
resources can vary from simple embarrassment to substan- 
tial financial losses. For example, serious financial disrup- 
tions occur when hackers obtain financial accoimt informa- 
tion or credit card information and use that information to 
misappropriate funds. 40 

Typically, network administrators use various levels of 
security measures to protect the network against unautho- 
rized use. Intrusion detection systems are commonly used to 
detect and identify unauthorized use of a computer network 
before the network resources and information are substan- 45 
tially disrupted or violated. In general, intrusion detection 
systems look for specific patterns in network traflSc, known 
as intrusion signatures to detect malicious activity. Conven- 
tional intrusion detection systems often use finite state 
machines, simple pattern matching, or specialized algo- so 
rithms to identify intrusion signatures in network traflSc. 
Detected intrusion signatures are reported to network admin- 
istration. 

A problem with conventional intrusion detection systems 
is that when a new vulnerability, or type of attack on the 55 
network, is discovered, a new intrusion signature must be 
generated and installed for each intrusion detection system. 
As a result, unless a network administrator frequently 
checks for new signatures developed by an intrusion detec- 
tion provider and installs the new signatures for each sensor 60 
in his or her system, the system will remain vulnerable to the 
new types of attack. Because new types of attacks appear 
more fi-equently than network administrators typically check 
with an intrusion detection provider for new signatures, 
networks often remain vulnerable to new types of attacks 65 
even though new signatures are available to identify and 
prevent such attacks. 
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SUMMARY OF THE INVENTION 

The present invention provides a method and system for 
dynamically distributing intrusion detection and other types 
of updates in a network that substantially eliminate or reduce 
disadvantages and problems associated with prior methods 
and systems. In particular, the present invention automati- 
cally downloads updates from a remote site in response to a 
timed event. 

In accordance with one embodiment of the present 
invention, a first version of a program operating at a network 
site is updated by automatically downloading from a remote 
site any update for the program in response to an automated 
event. A downloaded update is installed to generate a second 
version of the program. The second version of the program 
is operated at the network site in place of the first version. 

More particularly, in accordance with a particular 
embodiment of the present invention, the automated event is 
a timed event. In this embodiment, the first version of the 
program is aged and the timed event is the first version 
reaching a specified age. The specified age may be 24 hours 
or other suitable age. In other embodiments, the timed event 
may be a specified time such that any updates are automati- 
cally downloaded once a day, once a week, or at other 
suitable frequency. 

After installation of a downloaded update, it may be 
determined whether the second version of the program is 
operating correctly. In response to incorrect operation of the 
second version, the first version of the program may be 
restored for operation at the network site. In response to 
correct operation of the second version, the downloaded 
update may be distributed to disparate network sites oper- 
ating the first version of the program. There, the downloaded 
update may be installed to generate the second version of the 
program at the disparate network sites. The second version 
of the program is operated in the place of the first version at 
the disparate network sites. 

Technical advantages of the present invention include 
providing an improved method and system for distributing 
updates in a network. In particular, programs are automati- 
cally updated by downloading and distributing an update in 
response to an automated event, such as a timed event. As a 
result, systems with a common program separately rurming 
at several sites may update each site with no or minimal 
operator interaction. In addition, updates may be automatic 
or with minimal operator interaction rolled back at each site 
in a system in response to an upgrade problem. 

Additional technical advantages of the present invention 
include providing an improved intrusion detection system. 
In particular, each intrusion detection sensor may automati- 
cally connect to a remote site and download new intrusion 
detection signamres. Each sensor may also distribute the 
new signatures to related sensors within a system. 
Accordingly, network vulnerability due to new types of 
attacks is reduced. In addition, an intrusion detection service 
provider may update all of its customers by simply provid- 
ing new signatures on a website from which each customer's 
system will automatically connect to and download the new 
signatures in accordance with a specified frequency. 
Accordingly, the costs of providing intrusion detection ser- 
vices are reduced. 

Other technical advantages wiU be readily apparent to one 
skilled in the art for the following figures, description, and 
claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present inven- 
tion and its advantages, reference is now made to the 
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following description taken in conjunction with the accora- below, the update 32 is downloaded by customers over the 

panying drawings, wherein like reference numerals repre- Internet 22 and the new signatures added to the intrusion 

sent like parts, in which: signatures 28 residing on the host 24. In this way, the 

FIG. 1 is a block diagram Ulustrating a system for intnision detection sensors 26 are kept up-to-date and aW^ 

dynamicaUy distributing intrusion detection signatures in 5 detect and report new types of network and/or host based 



accordance with one embodiment of the present invention; 



attacks. 

^ . „ ,. -„ . , , FIG. 2 is a flow diagram illustrating a computer method 

FIG. 2 IS a flow daagram illustratmg a computer method dynamically distributing intrusion detection updates over 

for dynamically distributing mtrusion detecUon signatures m j^e Internet 22 or other suitable network. It will be under- 

the network of FIG. 1; and stood that other types of updates for other types of appUca- 

FIG. 3 is a flow diagram illustrating a computer method tions may be similarly distributed over the Internet 22 or 

for recovering from a problematic update in accordance with other suitable network without departing from the scope of 

one embodiment of the present invention. the present invention. 

Referring to FIG. 2, the method begins at step 50 in which 

DETAILED DESCRIPTION OF THE a specified event is received. The specified event may be an 

INVENTION ^ automated event or a user initiated event. The automated 

event may be any event generated by the sensor or other 
FIG. 1 is a block diagram illustrating a system 10 for software or hardware in accordance with predefined instruc- 
dynamically distributing updates in a network. In this tions or logical set of such events. In one embodiment, the 
embodiment, new intrusion signatures are distributed to automated event is a timed event that is directly or indirectly 
remote intrusion detection sensors. The sensors use the 20 based upon the reaching or passing of a specified time. For 
intrusion signatures to detect and report unauthorized entry. this embodiment, the intrusion detection sensors 26 may 
It will be understood that the present invention may be used automatically age the intrusion signatures 28 after each 
to distribute other suitable types of updates to intrusion update to allow the intrusion detection sensors 26 to auto- 
detection and other suitable types of applications within a matically determine when the intrusion signatures 28 may be 
network. 25 in need of updating. In this embodiment, an update event is 
Referring to FIG. 1, the system 10 includes a private generated m response to the intrusion sipatures 28 reaching 

network 12 and a public network 14. For the embodiment of ^ ^P^J^.^ '^'-^IT-if T""! ^^"""^ °' 

T-Ti^ 1 • . 1 • I . * 'irt J suitable time penod that will allow the mtrusion Signatures 

FIG. 1, the private network is an Intranet 20 and the pub he no . ^ j . j . r -n • • • i 

, . T * * -I'l T* 11 u J * J *u * *u 28 to be updated at a frequency thai will minimize vulner- 

network is an Internet 22. It will be understood that the ur* r.u • * . i io* . r i a 

. , J .1- . 1 i_ -4 ui 30 abihty of the private network 12 to new types of attacks. An 

private and pubUc networks 12 and 14 may be other suitable -^^ / , • • , c j . u 

^ c ^ 1 event or action is in response to a specified event when the 
tvoes ot networks 

' occurrence of the specified event directly or indirectly 

ITie Intranet 20 includes a network interconnecting a ^^^^^^^ y^^^ ^ p^^, the responding event or action. 

pluraUty of hosts 24. The network is a local area network j^^^ ^^^^^ ^^^^^ necessary to trigger the 

(LAN), a wide area network (WAN), or other suitable type responding event or action, or intervene between the speci- 

oflinkcapableofcommunicatingdata between the hosts24. fi^d event and the responding event or action. The update 

For the local area network embodiment, the network may be ^^^^^ other suitable types of timed events such as, 

an Ethernet. for example, a specified or scheduled time of day, week, or 

The hosts 24 are each a computer such as a personal the like, 

computer, file server, workstation, minicomputer, main- 4q In a particular embodiment, a user may select a number of 

frame or any general purpose or other computer or device sensors to be subordinate to a primary intrusion detection 

capable of communicating with other computers or devices sensor or set of primary sensors. In this embodiment, only 

over a network. The hosts 24 operating on the border the primary sensors are responsible for generating the update 

between the Intranet 20 and Internet 22 each include an event and only their intrusion signatures 28 are aged, 

intrusion detection sensor 26 for detecting and reporting 45 Alternatively, each intrusion detection sensor 26 may inde- 

unaulhorized entry. As used herein, each means each of at pendently age its own intrusion signatures 28 and generate 

least a subset of the identified items. the update event in response to its intmsion signatures 28 

The intrusion detection sensors 26 each include a com- reaching the specified age. In this embodiment, no one 

mon set of intrusion signatures 28, The intrusion signatures intrusion section sensor 26 or Umited set of sensors is solely 

28 comprise patterns of network activity that denote or 50 relied upon to initiate updating. 

indicate unauthorized access or other harmful activity Proceeding to step 52, the intrusion detection sensor 26 

capable of damaging the host 24 or other aspect of the generating the update event automatically connects to the 

private network 12. GeneraUy described, the intrusion detec- sensor update server 30 over the Internet 22. At decisional 

tion sensors 26 detect such unauthorized access or attacks step 54, the intrusion detection sensor 26 automatically 

upon the host 24 by matching network traflSc to the intrusion 55 determines whether the sensor update server 30 includes an 

signatures 28. update 32 for the intrusion signatures 28. In one 

The Internet 22 includes a sensor update server 30. The embodiment, the intrusion detection sensor 26 may compare 

sensor update server 30 may be virtually any type of a time stamp of its last update to that of a current file on the 

computer capable of storing intrusion updates 32 and com- sensor update server 30. In this embodiment, the current file 

municating with other computers or devices over the Inter- 60 is an update 32 if the time stamp for the file is later than that 

net 22. The intrusion update 32 includes new intrusion for the last update for the intrusion detection sensor 26. If an 

signatures generated by an intrusion detection service pro- update 32 is not available, then the current set of intrusion 

vider in response to new types of attacks. The intrusion signatures 28 are up-to-date and the No branch of decisional 

detection service provider generates the new signatures and step 54 leads to the end of the process. Accordingly, the 

provides them as the update 32 on a web page at the sensor 65 intrusion signatures 28 are updated only when needed, 

update server 30 to allow customers to access the new However, if an update 32 is available on the sensor update 

signatures over the Internet 22. As described in more detail server 30, the Yes branch of decision step 54 leads to step 56. 



us 6,484315 Bl 

5 6 

Al Step 56, the intrusion detection sensor 26 automatically receiving an authentic update 32 to generate an updated set 

downloads iJie update 32. Preferably, the update 32 is of intrusion signatures 28. Accordingly, all intrusion detec- 

downloaded in an encrypted format to prevent tampering tion sensors 26 in the private network 12 are automatically 

and decrypted at the host 24. In addition, the update 32 may updated to protect all avenues of access to the private 

be protected by VPN, sequence numbering, other suitable 5 network 12 from the new types of attacks, 

form of secure communication, or a combination of fon^^ Proceeding to decisional step 74, each of the second stage 

Next, at decisional step 58, the mtrusion detection sensor 26 ^ . j / r .l . 

automatically authenticates the update 32. In one mtrusion detection sensors 26 deterinme if l^^ 

embodiment, the update 32 is authenticated by ensuring that ^^.^^^^^^y ^.^ "^^^f. "P^^^^ ^2. If a second stage 

the update is for the existing set of intrusion signatures 28. mirusion detecUon sensor 26 is not operating correctly, the 

If the update 32 is not authentic, then it should not be '° No branch of decisional step 74 leads to step 76. At step 76, 

installed and the No branch of decisional step 58 leads to the ^^^^ovcry process is initiated for that intiiision detecaon 

end of the process. Accordingly, an update 32 that cannot be sensor 26 and the update 32 is uninstalled. In this way, it is 

authenticated is not instaUed. However, if the update 32 is ^J'f ^f.^^ °f the second stage mtrusion detecUon 

authentic, the Yes branch of decisional step 58 leads to step ^6 wiU re mam m operating condition. For each 

15 second stage intrusion detection sensor 26 operatmg cor- 

A« . .u • . • J . ir * .11 rectly with the installed update 32, the Yes branch of 

At step 60, the mtrusion detection sensor 26 automatically j • • , . i ^ . j r 

• . n fu -J . 11 * -ij .u • * * *u decisional step 74 leads to the end of the process. 

mstalls the update 32 to add the new signatures to the . j- 1 1, • . • j . r 

.... VT Accordmelv. all mtrusion detection sensors 26 for the on- 

preexistmg mtrusion signatures 28. Next, at decisional step ^^^^^^B^y* ixiuu^u^u ^wl,.^uv.u ^m^ijouid '"^ 

^1 *u ■ * • J * T- 1^ * *' 11 J * vate network 12 have been automatically updated. Because 

62, the mtrusion detection sensor 26 automatically deter- • • ^ . • • . . 

•r. . - ... • . It J J . i_ user mteraction is not required, the mtrusion detection 

mines if It is operating correctly with the installed update by .t ji^- i j. 

comparing its operation to specffied parameteis, limits, and censors 26 may be frequently and efficiently updated to 

*u 1-1 ff*u • . • J * *• • * *• ensure that the pnvate network 12 IS not vumerable to new 

the like. If the mtrusion detection sensor 26 is not operatmg ^ ^ attacks 

correctly, then the No branch of decisional step 62 leads to 

step 64 where recovery processing is automaticaUy initiated „ ^® understood that the intrusion sensors 26 may be 

and the update 32 is uninstalled. Accordingly, the intrusion otherwise suitably updated without departing from the scope 

detection sensor 26 is returned to its previous state and the °f present invention. For example, although the method 

private network 12 is not left vuhierable by an incorrectly described with the intrusion detection sensor 26 per- 

operating intrusion detection sensor 26. However, if the forming the specified actions, it will be understood that 

update intrusion sensor 26 is operating correctly, the Yes another application in or remotely from the hosts 24 may 

branch of decisional step 62 leads to step 66. out the updating functionaUty identified for the intru- 

At step 66, the intrusion detection sensor 26 automaticaUy detection sensor 26. 
broadcasts an update message over the Intranet 20. The ^\^- } illustrates a computer method for recovery pro- 
update message informs the other intrusion detection sensors cessing in accordance with one embodiment of the present 
26 of the availability of the update 32. Next, at step 68, the 35 invention. Referring to FIG. 3, the method begins at step 90 
update 32 is automatically transmitted to the intrusion in which a recovery event is received. The recovery event 
detection sensors 26 that responded to the update message, initiated by an intrusion detection sensor 26 in 
In one embodiment, the update message identifies the update response to incorrect operation of the intrusion detection 
and intrusion detection sensors 26 not having that update sensor 26. The recovery event may also be independently 
respond to request the update 32. The update 32 may be 40 initiated by an operator to uninstall the update 32. 
transmitted over the Intranet 20 in an encrypted format and Proceeding to step 92, the update 32 is uninstalled from 
a secure form and decrypted by each of the second stage a first intrusion detection sensor 26. The first intrusion 
intrusion detection sensors 26 as previously described for detection sensor 26 may be the first sensor 26 on which the 
the first stage intrusion detection sensor 26 that originally update 32 was initially installed or another intrusion detec- 
received the update 32. If a sensor hierarchy is used, 45 tion sensor 26 detecting incorrect operations or receiving a 
relationships between primary and secondary sensors may user command to initiate recovery processing. Uninstalling 
be predefined with the primary sensors each sending updates the update 32 returns the first intmsion detection sensor 26 
32 to their respective secondary sensors. In addition, the to its previous state. 

relationship may be recursive with secondary sensors having Next, at step 94, the first intrusion detection sensor 26 

their own children. 50 transmits a recovery message to the remaining intrusion 

Proceeding to decisional step 70, each of the second stage detection sensors 26 in the private network 12 on which the 

intrusion detection sensors 26 authenticates the update 32 as update 32 was installed. Next, at step 96, each of the 

previously described in connection with the first stage remaining intrusion detection sensors 26 uninstalls the 

intrusion detection sensor 26. If the update 32 cannot be update 32 in response to the recovery message. Accordingly, 

authenticated by a second stage intrusion detection sensor 55 each intrusion detection sensor 26 in the private network 12 

26, the No branch of decisional step 70 returns to step 68 for is retiuTied to its previous state in response to a single 

that second stage intrusion detection sensor 26 where the recovery event. In this way, integrity of the private network 

update 32 is retransmitted to the intrusion detection sensor 12 and the inUiision detection system for the private network 

26. Alternatively, or in response to several unsuccessful 12 is maintained with each of the intrusion detection sensors 

attempts to transmit an authentic update 32 to a second 60 26 in a same state. Step 96 leads to the end of the process 

stage, the No branch of decisional step 70 may lead to the by which each of the intrusion detection sensors 26 have 

end of the process where the update 32 is not installed for been returned to a same recovery state, 

that intrusion detection sensor 26. After an authentic update Although the present invention has been described with 

32 is received by a second stage intrusion detection sensor several embodiments, various changes and modifications 

26, the Yes branch of decisional step 70 leads to step 72. 65 may be suggested to one skilled in the art. It is intended that 

At step 72, the update 32 is automatically installed for the present invention encompass such changes and modifi- 

each of the second stage intrusion detection sensors 26 cations as fall within the scope of the appended claims. 
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What is claimed is: 

1. A method for updating a first version of a program 
operating at a network site, comprising: 

in response to an automated event, automatically down- 
loading from a remote site any update for the program; 5 

automatically installing a downloaded update to generate 
a second version of the program; 

after installation of the downloaded update, automatically 
determining whether the second version of the program 
is operating correcdy; 

in response to correct operation of the second version, 
operating the second version of the program in place of 
the first version at the network site; and 

in response to incorrect operation of the second version, 15 
automatically restoring the first version of the program 
for operation at the network site. 

2. A method for updating a first version of a program 
operating at a network site, comprising: 

in response to an automated event, automatically down- 20 

loading from a remote site any update for the program; 
installing a downloaded update to generate a second 

version of the program; and 
operating the second version of the program in place of ^ 

the first version at the network site; 
automatically distributing the downloaded update to a 

disparate network site operating the first version of the 

program; 

automatically installing the downloaded update to gener- 30 
ate the second version of the program at the disparate 
network site; and 

automatically operating the second version of the program 
in place of the first version at the disparate network site. 

3. A method for updating a first version of a program 
operating at a network site, comprising: 

in response to an automated event, automatically down- 
loading from a remote site any update for the program; 

installing a downloaded update to generate a second ^ 
version of the program; 

after installation of the downloaded update, automatically 
determining whether the second version of the program 
is operating correctly at the network site; 

in response to incorrect operation of the second version, 45 
automatically restoring the first version of the program 
for operation at the network site; and 

in response to correct operation of the second version at 
the network site: 

automatically distributing the downloaded update to a 50 
disparate network site operating the first version of 
the program; 

automatically installing the downloaded update to gen- 
erate the second version of the program at the 
disparate network site; and 55 

automatically operating the second version of the pro- 
gram in place of the first version at the disparate 
network site. 
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4. A method for updating a first version of a program 
operating at a network site, comprising: 

in response to an automated event, automatically down- 
loading from a remote site any update for the program; 

automatically installing a downloaded update to generate 
a second version of the program; and 

operating the second version of the program in place of 
the first version at the network site; 

broadcasting over a network an update message; 

receiving in response to the update message a request for 
the downloaded update from each of a plurality of 
disparate network sites operating the first version of the 
program; 

automatically distributing the downloaded update to the 
disparate network sites requesting the downloaded 
update; 

automatically installing the downloaded update to gener- 
ate the second version of the program at each of the 
disparate network sites; and 

automatically operating the second version of the program 
in place of the first version at each of the disparate 
network sites. 

5. The method of claim 4, further comprising: 
receiving a recovery event at one of the network sites; 
automatically restoring the first version of the program at 

the network site at which the recovery event was 
received; 

broadcasting a recovery message from the network site 

over the network; and 
automatically restoring the first version of the program at 

each of the remaining network sites operating the 

second version of the program. 

6. The method of claim 5 wherein the recovery event 
occurs in response to incorrect operation of the second 
version of the program. 

7. An intrusion detection system, comprising: 

a private network including a plurality of sites connected 
to a pubhc network, each site including an intrusion 
detection sensor operating with a first set of intrusion 
detection signatures; and 

each of the intrusion detection sensors operable to auto- 
matically download from a remote site any update for 
the intrusion detection signatures in response to a 
specified event, to automatically install a downloaded 
update to generate a second set of intrusion detection 
signatures, to operate with the second set of intrusion 
detection signatures, and to automatically distribute the 
downloaded update to the remaining intrusion detec- 
tion sensors for installation. 

8. The system of claim 7, wherein the specified event is 
an automated event. 

9. The system of claim 8, wherein the automated event is 
a timed event. 

***** 



